Avoid running out of memory when parsing heavily nested arrays or objects (#1226)

Just like Jackson 2.15+ we restrict the maximum allowed number of nested arrays or
objects (or mixed) to 1000. This default can be changed via a sys property.
1000 should be enough for most real world use cases.
Note this is about OutOfMemoryError's, not about StackOverflowError's.
StackOverflowError's are not a problem since we use a @tailrec optimized
method. Therefore this fix is not 100% about CVE-2025-52999 (which in
theory we do not run into) but just an additional precaution.

Author: mkurz

play-json/jvm/src/main/scala/play/api/libs/json/jackson/JacksonJson.scala

@@ -30,6 +30,8 @@ import com.fasterxml.jackson.databind.ser.Serializers
 
 import play.api.libs.json._
 
+import scala.util.control.NonFatal
+
 /**
  * The Play JSON module for Jackson.
  *
@@ -155,7 +157,7 @@ private[jackson] class JsValueDeserializer(factory: TypeFactory, klass: Class[_]
   override def isCachable: Boolean = true
 
   override def deserialize(jp: JsonParser, ctxt: DeserializationContext): JsValue = {
-    val value = deserialize(jp, ctxt, List())
+    val value = deserialize(jp = jp, ctxt = ctxt, parserContext = List())
 
     if (!klass.isAssignableFrom(value.getClass)) {
       ctxt.handleUnexpectedToken(klass, jp)
@@ -190,8 +192,11 @@ private[jackson] class JsValueDeserializer(factory: TypeFactory, klass: Class[_]
   final def deserialize(
       jp: JsonParser,
       ctxt: DeserializationContext,
-      parserContext: List[DeserializerContext]
+      parserContext: List[DeserializerContext],
+      unclosedArraysOrObjects: Long = 0,
   ): JsValue = {
+    var currentUnclosedArraysOrObjects = unclosedArraysOrObjects
+
     if (jp.getCurrentToken == null) {
       jp.nextToken() // happens when using treeToValue (we're not parsing tokens)
     }
@@ -207,15 +212,20 @@ private[jackson] class JsValueDeserializer(factory: TypeFactory, klass: Class[_]
 
       case JsonTokenId.ID_NULL => (Some(JsNull), parserContext)
 
-      case JsonTokenId.ID_START_ARRAY => (None, ReadingList(ArrayBuffer()) +: parserContext)
+      case JsonTokenId.ID_START_ARRAY =>
+        currentUnclosedArraysOrObjects += 1
+        (None, ReadingList(ArrayBuffer()) +: parserContext)
 
       case JsonTokenId.ID_END_ARRAY =>
+        currentUnclosedArraysOrObjects -= 1
         parserContext match {
           case ReadingList(content) :: stack => (Some(JsArray(content)), stack)
           case _ => throw new RuntimeException("We should have been reading list, something got wrong")
         }
 
-      case JsonTokenId.ID_START_OBJECT => (None, ReadingMap(ListBuffer()) +: parserContext)
+      case JsonTokenId.ID_START_OBJECT =>
+        currentUnclosedArraysOrObjects += 1
+        (None, ReadingMap(ListBuffer()) +: parserContext)
 
       case JsonTokenId.ID_FIELD_NAME =>
         parserContext match {
@@ -224,6 +234,7 @@ private[jackson] class JsValueDeserializer(factory: TypeFactory, klass: Class[_]
         }
 
       case JsonTokenId.ID_END_OBJECT =>
+        currentUnclosedArraysOrObjects -= 1
         parserContext match {
           case ReadingMap(content) :: stack => (Some(JsObject(content)), stack)
           case _ => throw new RuntimeException("We should have been reading an object, something got wrong")
@@ -236,13 +247,28 @@ private[jackson] class JsValueDeserializer(factory: TypeFactory, klass: Class[_]
         throw new RuntimeException("We should have been reading an object, something got wrong")
     }
 
+    val defaultMaxDepth = 1000 // Same as Jackson's 2.15+ StreamReadConstraints.DEFAULT_MAX_DEPTH
+    // system property to override the max nesting depth for JSON parsing.
+    val maxNestingDepth: String = "play.json.parser.maxNestingDepth"
+    val maxDepth                =
+      try {
+        sys.props.get(maxNestingDepth).map(Integer.parseInt).getOrElse(defaultMaxDepth)
+      } catch {
+        case NonFatal(_) => defaultMaxDepth
+      }
+
+    if (currentUnclosedArraysOrObjects > maxDepth) {
+      throw new IllegalArgumentException(s"Document nesting depth exceeds the maximum allowed (${maxDepth}).")
+    }
+
     // Read ahead
     jp.nextToken()
 
     valueAndCtx match {
       case (Some(v), Nil)               => v // done, no more tokens and got a value!
-      case (Some(v), previous :: stack) => deserialize(jp, ctxt, previous.addValue(v) :: stack)
-      case (None, nextContext)          => deserialize(jp, ctxt, nextContext)
+      case (Some(v), previous :: stack) =>
+        deserialize(jp, ctxt, previous.addValue(v) :: stack, currentUnclosedArraysOrObjects)
+      case (None, nextContext) => deserialize(jp, ctxt, nextContext, currentUnclosedArraysOrObjects)
     }
   }
 

play-json/jvm/src/test/scala/play/api/libs/json/JsonSpec.scala

@@ -511,5 +511,62 @@ class JsonSpec extends org.specs2.mutable.Specification {
       parsed.asInstanceOf[JsObject].fields.mustEqual(original.fields)
       Json.stringify(parsed).mustEqual(originalString)
     }
+
+    "allow parsing objects nested up to max depth" in {
+      try {
+        val depth = 1000
+        Json.parse(("{\"obj\":" * depth) + "1" + ("}" * depth))
+      } catch {
+        case _: StackOverflowError =>
+          ko("StackOverflowError thrown")
+        case _: OutOfMemoryError =>
+          ko("OutOfMemoryError thrown")
+      }
+      ok
+    }
+
+    "disallow parsing nested objects exceeding max depth" in {
+      val depth = 1001
+      Json
+        .parse(("{\"obj\":" * depth) + "1" + ("}" * depth))
+        .must(throwA[IllegalArgumentException].like { case e: IllegalArgumentException =>
+          e.getMessage.must(equalTo("Document nesting depth exceeds the maximum allowed (1000)."))
+        })
+    }
+
+    "allow parsing heavily nested mixed arrays and objects" in {
+      try {
+        val depth = 1000 - 2 // in the string two open objects { are hardcoded
+        Json.parse("{\"foo\":  {\"arr\":" + ("[" * depth) + "1" + ("]" * depth) + "}}")
+      } catch {
+        case _: StackOverflowError =>
+          ko("StackOverflowError thrown")
+        case _: OutOfMemoryError =>
+          ko("OutOfMemoryError thrown")
+      }
+      ok
+    }
+
+    "disallow parsing heavily nested mixed arrays and objects" in {
+      val depth = 1001 - 2 // in the string two open objects { are hardcoded
+      Json
+        .parse("{\"foo\":  {\"arr\":" + ("[" * depth) + "1" + ("]" * depth) + "}}")
+        .must(throwA[IllegalArgumentException].like { case e: IllegalArgumentException =>
+          e.getMessage.must(equalTo("Document nesting depth exceeds the maximum allowed (1000)."))
+        })
+    }
+  }
+
+  "allow parsing many non-nested arrays and objects, not relevant for depth check" in {
+    try {
+      val repeat = 9999 // 10 thousand in total
+      Json.parse("{\"foo\": [" + ("{\"arr\":[1]}," * repeat) + "{\"arr\":[1]}]}")
+    } catch {
+      case _: StackOverflowError =>
+        ko("StackOverflowError thrown")
+      case _: OutOfMemoryError =>
+        ko("OutOfMemoryError thrown")
+    }
+    ok
   }
 }